Threat Actors Setting Up Persistent Access to Hosts Hacked in CrushFTP Attacks www.securityweek.com/threat-ac…

Cybersecurity firm Huntress has shared details on the post-exploitation activities seen in the attacks leveraging the recently disclosed CrushFTP vulnerability.

The vulnerability, discovered by researchers at security firm Outpost24, is tracked as CVE-2025-31161 and it allows an attacker to bypass authentication and gain access to a system.

Its disclosure has been shrouded in controversy, with developers of the enterprise file transfer solution blaming security firms for the quick in-the-wild exploitation of the flaw.

Huntress has been seeing attacks exploiting the CrushFTP vulnerability since March 30. Initially, threat actors appeared to be testing access, but the security firm later started observing post-exploitation activity aimed at setting up persistent access to targeted hosts.

The attacks seen by Huntress were aimed at four companies, including three that were hosted by the same MSP. The targets were firms in the marketing, retail, and semiconductor sectors.